1
00:00:01,140 --> 00:00:05,100
I'm starting this demonstration on my Windows 11 administrative workstation,

2
00:00:05,100 --> 00:00:08,220
and what I want to do actually is first start by opening

3
00:00:08,220 --> 00:00:11,560
the run prompt and typing gpedit.msc.

4
00:00:11,560 --> 00:00:16,500
This is a shortcut that opens the MMC console for the local systems, and this

5
00:00:16,500 --> 00:00:19,640
applies to a Windows Server, as well as Windows Client,

6
00:00:19,640 --> 00:00:21,220
the local Group Policy.

7
00:00:21,220 --> 00:00:24,550
So this is just to remind you that Group Policy is built

8
00:00:24,550 --> 00:00:27,010
in natively into any Windows system,

9
00:00:27,010 --> 00:00:30,420
whether it's part of a workgroup or an Active Directory domain.

10
00:00:30,420 --> 00:00:33,660
And we have, as I mentioned before, the two sides of the fence,

11
00:00:33,660 --> 00:00:37,980
computer configuration, which maps to the registry hive HKEY_LOCAL_MACHINE,

12
00:00:37,980 --> 00:00:41,910
and the user configuration, which, depending on the setting,

13
00:00:41,910 --> 00:00:44,290
normally it's going to be HKEY_CURRENT_USER,

14
00:00:44,290 --> 00:00:45,940
the currently logged on user.

15
00:00:45,940 --> 00:00:49,880
And we have within each subdivision a Software Settings branch,

16
00:00:49,880 --> 00:00:53,270
a Windows Settings branch, and Administrative Templates.

17
00:00:53,270 --> 00:00:56,540
The thing about Administrative Templates is that this is where you

18
00:00:56,540 --> 00:00:59,910
can extend the capabilities of your Group Policy.

19
00:00:59,910 --> 00:01:02,790
Notice here, we can right‑click Administrative Templates.

20
00:01:02,790 --> 00:01:05,120
These are what are called ADMX files.

21
00:01:05,120 --> 00:01:06,000
So, for instance,

22
00:01:06,000 --> 00:01:09,690
if you want to apply Group Policy to the Office Suite or some

23
00:01:09,690 --> 00:01:13,290
third‑party product, if they offer an Administrative Template,

24
00:01:13,290 --> 00:01:16,670
it's pretty easy to incorporate that into Group Policy.

25
00:01:16,670 --> 00:01:18,990
So that's a wonderful extensibility.

26
00:01:18,990 --> 00:01:21,780
Now, why would you choose to do a setting,

27
00:01:21,780 --> 00:01:24,230
like an Administrative Template, under Computer

28
00:01:24,230 --> 00:01:26,490
Configuration rather than User? Well,

29
00:01:26,490 --> 00:01:30,220
it depends. Computer would be affecting all users on that

30
00:01:30,220 --> 00:01:33,740
system, whereas User Configuration normally would affect

31
00:01:33,740 --> 00:01:36,370
just the currently signed‑in user, you see what I mean?

32
00:01:36,370 --> 00:01:40,500
So you want to think about the scope of policy. Now, I can't disable

33
00:01:40,500 --> 00:01:44,000
Computer or User Settings in the local Group Policy Editor,

34
00:01:44,000 --> 00:01:48,000
but if we do a run and do gpmc.msc,

35
00:01:48,000 --> 00:01:52,050
this opens the domain Group Policy Management console.

36
00:01:52,050 --> 00:01:52,510
And again,

37
00:01:52,510 --> 00:01:56,110
the reason I'm able to get to that on this Windows 11 workstation is

38
00:01:56,110 --> 00:01:59,630
that I've installed the remote server administration tools, or RSAT

39
00:01:59,630 --> 00:02:02,410
tools. Now we can see here we've got my forest,

40
00:02:02,410 --> 00:02:06,940
we've got my domain, and we can Show Domains, and we can browse to the

41
00:02:06,940 --> 00:02:10,660
child, and we can work across our domain tree if we want to.

42
00:02:10,660 --> 00:02:14,240
We have the Sites level, where we can apply Group Policy

43
00:02:14,240 --> 00:02:16,620
objects to our Active Directory sites.

44
00:02:16,620 --> 00:02:19,380
We have the ability to model Group Policy.

45
00:02:19,380 --> 00:02:22,610
There's a wizard, if you right‑click here, and you can step through,

46
00:02:22,610 --> 00:02:27,140
and this is simulating a policy deployment to see how those settings

47
00:02:27,140 --> 00:02:31,950
in a new GPO you've created might affect users, groups, etc.,

48
00:02:31,950 --> 00:02:33,500
depending upon where they are.

49
00:02:33,500 --> 00:02:36,810
And then we have the Graphical Group Policy Results wizard,

50
00:02:36,810 --> 00:02:40,280
Resultant Set of Policy, or RSOP, as it's also called.

51
00:02:40,280 --> 00:02:44,030
We have within our domain structure the Default Domain Policy.

52
00:02:44,030 --> 00:02:46,670
This is the built‑in domain‑scoped policy.

53
00:02:46,670 --> 00:02:47,930
Now, it's an exam alert.

54
00:02:47,930 --> 00:02:52,570
You want to see that in order for a policy to apply to users in your

55
00:02:52,570 --> 00:02:56,440
domain, those users are going to have to have read permissions to the

56
00:02:56,440 --> 00:03:00,070
policy and the policy is going to need to be linked. Notice that we can

57
00:03:00,070 --> 00:03:04,820
right‑click to enable or disable a Group Policy link, and the default

58
00:03:04,820 --> 00:03:08,610
domain is going to affect the entire domain by default, and read

59
00:03:08,610 --> 00:03:13,320
authenticated users means that all domain users are going to be affected

60
00:03:13,320 --> 00:03:14,130
by this system.

61
00:03:14,130 --> 00:03:18,610
Note that domain admins and enterprise admins have custom permissions.

62
00:03:18,610 --> 00:03:21,230
Basically, the policy will not apply to

63
00:03:21,230 --> 00:03:23,430
administrators, but you can override that.

64
00:03:23,430 --> 00:03:24,200
It depends.

65
00:03:24,200 --> 00:03:28,900
Now, in domain controllers, we have Default Domain Controllers policy. And

66
00:03:28,900 --> 00:03:32,850
this again is going to be policy settings that are scoped to the enterprise

67
00:03:32,850 --> 00:03:37,960
domain controllers identity, and this is a good place to enable auditing, for

68
00:03:37,960 --> 00:03:40,130
example, on those domain controllers.

69
00:03:40,130 --> 00:03:43,130
Let me show you. I'll right‑click and choose Edit, and then to get

70
00:03:43,130 --> 00:03:46,900
to the auditing, password, and security settings, we can go under

71
00:03:46,900 --> 00:03:50,510
Computer Configuration, Policies, Windows Settings,

72
00:03:50,510 --> 00:03:53,980
Security Settings, and we have our Account Policies,

73
00:03:53,980 --> 00:03:55,260
Local Policies,

74
00:03:55,260 --> 00:03:59,880
Event Log. Under Account Policies, we have Password, Account Lockout, and

75
00:03:59,880 --> 00:04:04,770
Kerberos Policy. And for Local Policies, we have our Audit Policy. And so for

76
00:04:04,770 --> 00:04:09,080
each of these policies, we can choose to define them, and in this case, are

77
00:04:09,080 --> 00:04:13,770
you going to audit account logon events that are successful and failed, or

78
00:04:13,770 --> 00:04:17,900
just failed, for example? Notice that the graphical interface here does have a

79
00:04:17,900 --> 00:04:19,370
really nice explainer.

80
00:04:19,370 --> 00:04:21,280
I want to draw your attention to that.

81
00:04:21,280 --> 00:04:21,770
All right,

82
00:04:21,770 --> 00:04:26,370
let me close out of here and come to the Default Domain Policy and edit that.

83
00:04:26,370 --> 00:04:30,370
This is a good place to scope your security and password policies,

84
00:04:30,370 --> 00:04:34,200
as I mentioned before. If we go to Policies, Windows Settings,

85
00:04:34,200 --> 00:04:37,790
Security Settings, Account Policies, Password Policy,

86
00:04:37,790 --> 00:04:40,610
we can see here we've got maximum password age.

87
00:04:40,610 --> 00:04:42,530
That's where you would enforce changing a password

88
00:04:42,530 --> 00:04:44,040
if that's going to be your thing.

89
00:04:44,040 --> 00:04:45,690
Don't want to explain each of these.

90
00:04:45,690 --> 00:04:46,670
We don't really need to.

91
00:04:46,670 --> 00:04:48,610
You could search the Pluralsight library.

92
00:04:48,610 --> 00:04:50,820
We have plenty of training on Group Policy.

93
00:04:50,820 --> 00:04:51,370
But again,

94
00:04:51,370 --> 00:04:54,160
I want you to see, the explainer will give you some

95
00:04:54,160 --> 00:04:57,160
suggestions, that if you put in 0 for this,

96
00:04:57,160 --> 00:04:59,510
if you define it and put in 0 days,

97
00:04:59,510 --> 00:05:03,900
then the passwords will not expire. And you may be on board with that idea,

98
00:05:03,900 --> 00:05:08,430
that it's better to enforce a stronger password policy and have the user keep

99
00:05:08,430 --> 00:05:12,870
that strong password than force them to change the password regularly and then

100
00:05:12,870 --> 00:05:15,730
have a weaker password over the time net.

101
00:05:15,730 --> 00:05:19,930
Now, you see here, we've got an OU that I've created called Domain Workstations.

102
00:05:19,930 --> 00:05:23,440
Let me actually go to Active Directory Users and Computers, and

103
00:05:23,440 --> 00:05:27,210
I'll show you that I have my CLI, that's this Windows 11 domain

104
00:05:27,210 --> 00:05:29,790
member box, scoped in this new OU.

105
00:05:29,790 --> 00:05:32,700
And watch what happens, if I move this computer, and the

106
00:05:32,700 --> 00:05:35,840
same thing applies if I tried to move a user account, you

107
00:05:35,840 --> 00:05:37,250
get a warning here that says,

108
00:05:37,250 --> 00:05:41,150
are you sure you want to do this because by moving this computer account,

109
00:05:41,150 --> 00:05:45,000
I'm going to be taking it out of scope for any GPO or GPOs

110
00:05:45,000 --> 00:05:47,390
that would be linked to domain workstations.

111
00:05:47,390 --> 00:05:52,740
And instead, cli1 would pick up any linked GPOs that are on my test OU. So

112
00:05:52,740 --> 00:05:56,380
this is just for you to think about, rather, before you arbitrarily start

113
00:05:56,380 --> 00:06:01,070
moving user group and computer accounts around, that this will affect Group

114
00:06:01,070 --> 00:06:03,810
Policy processing on those machines for sure.

115
00:06:03,810 --> 00:06:06,330
Now, you might want to think, domain admins,

116
00:06:06,330 --> 00:06:10,160
of course, they're going to have full ability to author and edit Group Policy.

117
00:06:10,160 --> 00:06:13,880
What about delegated administration for GPO Management?

118
00:06:13,880 --> 00:06:17,060
As it happens, if we go to the users container, this is an

119
00:06:17,060 --> 00:06:20,300
exam alert, I want you to be aware of the built‑in Group

120
00:06:20,300 --> 00:06:22,130
Policy Creator Owners group.

121
00:06:22,130 --> 00:06:22,790
As you can see,

122
00:06:22,790 --> 00:06:25,760
this is a global security group that says members in this

123
00:06:25,760 --> 00:06:28,460
group can modify Group Policy for the domain.

124
00:06:28,460 --> 00:06:32,010
So if the exam asks you about delegating the ability to author

125
00:06:32,010 --> 00:06:34,600
and manage Group Policy objects in the domain,

126
00:06:34,600 --> 00:06:44,000
a convenient thing to do is populate that domain user, or group, as the case may be, in the Group Policy Creator Owners global group.